Russia-linked Sandworm continues to conduct attacks against Ukraine

Pierluigi Paganini May 21, 2022

Security researchers from ESET reported that the Russia-linked APT group Sandworm continues to target Ukraine.

Security experts from ESET reported that the Russia-linked cyberespionage group Sandworm continues to launch cyber attacks against entities in Ukraine.

Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.

In April, Sandworm targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper.

According to the CERT-UA, nation-state actors targeted high-voltage electrical substations with INDUSTROYER2, the variant analyzed by the researchers were customized to target respective substations.

The attackers also employed the CADDYWIPER wiper to target Windows-based systems, while hit server equipment running Linux operating systems with ORCSHRED, SOLOSHRED, AWFULSHRED desruptive scripts.

“Centralized distribution and launch of CADDYWIPER is implemented through the Group Policy Mechanism (GPO). The POWERGAP PowerShell script was used to add a Group Policy that downloads file destructor components from a domain controller and creates a scheduled task on a computer.” reads the advisory published by the Ukrainian CERT. “The ability to move horizontally between segments of the local area network is provided by creating chains of SSH tunnels. IMPACKET is used for remote execution of commands.”

CERT-UA states that the APT groups launched at least two waves of attacks against the energy facilities. The initial compromise took place no later than February 2022. Interestingly, the disconnection of electrical substations and the decommissioning of the company’s infrastructure was scheduled for Friday evening, April 8, 2022.

The good news is that the attacks were detected and neutralized by government experts with the help of cybersecurity firms ESET and Microsoft.

The CERT-UA collected indicators of compromise for these attacks and shared them, along with Yara rules, with a limited number of international partners and Ukrainian energy companies.

Security firm ESET, which helped the Ukrainian government, published a detailed report on the Industroyer2 wiper used to target a Ukrainian energy company.

Now, the experts from ESET announced the discovery of a new variant of a malware loader used by the threat actors as part of the Industroyer2 attacks, CERT-UA tracked the malicious code as ArguePatch.

#BREAKING #Sandworm continues attacks in Ukraine . #ESETresearch found an evolution of a malware loader used during the #Industroyer2 attacks. This updated piece of the puzzle is malware @_CERT_UA calls #ArguePatch. ArguePatch was used to launch #CaddyWiper. #WarInUkraine 1/6 pic.twitter.com/y3muhtjps6
— ESET Research (@ESETresearch) May 20, 2022

According to the researchers, the Industroyer2 attacks employed a patched version of HexRaysSA IDA Pro’s remote debug server (win32_remote.exe) that was crafted to include code to decrypt and run CaddyWiper from an external file.

The APT group has hidden the ArguePatch in an ESET executable (eset_ssl_filtered_cert_importer.exe), the malicious code was overwritten in a function called during the MSVC runtime initialization.

The analysis of the injected code revealed it was designed to act as a loader of the next stage malware at a particular time.

“This replaces the need to setup a Windows scheduled task for future detonation. This is perhaps a way to evade detections using known TTPs.” explained ESET is a series of tweets.

This replaces the need to setup a Windows scheduled task for future detonation. This is perhaps a way to evade detections using known TTPs. 5/6
— ESET Research (@ESETresearch) May 20, 2022

The experts shared indicators of Compromise (IoC) for this attack.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Sandworm)

[adrotate banner=”5″]

[adrotate banner=”13″]

APT Hacking hacking news information security news Intelligence IT Information Security malware Pierluigi Paganini Russia Sandworm Security Affairs Security News Ukraine

Pierluigi Paganini July 08, 2025

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini July 08, 2025